Dynamic and Static
Null-Puliya : Bangalore: 17/06/2023
Helps to community. It is basic for the noobs.
Introduction on Malware Analysis:
Download the Windows 11/10 in Host OS and Import the appliance(OS) into VM(Virtual Box/ VMWare)
Post Import follow the steps on Guest OS(M using Windows 11 EnterPrise)
From Guest Machine(Windows10/11) Setup use belkow command from the terminal to activate the free license key for the 90 days.
cmd > run as administrator
slmgr.vbs /ato
From Host machine:
C:\Program Files\Oracle\VirtualBox>VBoxManage.exe setextradata "Windows" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" 1
Post installation taken Guest OS snapshot. We have to take everytime snapshot and it is a best Practice.
Download the MA Tools into Guest OS.
DEBLOAT: What is Debloat and functionalities check from google.
PS > run as admoinitrator > execute the below commands
-
iwr -useb https://git.io/debloat| iex
-
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Installation Part:
Wireshark,Wincap,Windump,npcap,Usbcap.
Please if winpcap and usbcap is not properly install windump is not working.
Download and Install as a demo
Graphviz Procdot Procmon Regshot Fakenet
Importants Tools for the basic malware assessment/analysis:
Trifecta:
Procmon Wireshark ProcDot
Misc:
Regshot FakeNet-NG PEStudio/PEBear ProcessExplorer
Download the sample malware from the virustotal/malwarebazzar/http://app.any.run
START > PE/Strings> FAKENET > Regshots1 > Wireshark > Procmon > Execute > Procmon > Wireshark > Regshot2/compare > ProcDot > STATEX > Story
START > PE/Strings> FAKENET > Regshots1 > Wireshark > Procmon > Execute > Procmon > Wireshark > Regshot2/compare > ProcDot > STATEX > Story
Disable the windows defender from the windows security.
Demo:
Tool for the Demo: PEStudio
Drag and Drop sample malware file into PEStudio and analysis the hash,indicators,blacklist,groups
What is Magic numbers in Malware Analysis
Analysis from the Entropy
above 5 in entropy means there is some patterns are exist in Files
Glimpse of Dynamic testing demo: Tools:
Dynamic
Procmon = Start Procdot = Start Wireshark = Start fakenet = Start
Run 267.exe converted from 267.bin{Sample}
Execute 267.exe as run as administrator
Capture execution to the tools. stop the procmon and wireshark. Save it the files in csv for the Procmon and as well as for the wireshark to pcap.
Attached the procmon files to the procdot and click the launcher..... and add the process 267.exe andf choose the compressed and get the graphical interface for the executions.
We can execute same steps in the sandbox environment like app.any.run {sandbox}
Automated Analysis:
Non interactive:
- https://joesanbox.com/#windows
- https://virustotal.com/(static)
- https://www.filescan.io/
- https://www.hybrid-analysis.com/
- https://cuckoosandbox.org/(Self hosted)
Interactive